A severe Jetpack vulnerability has been disclosed and patched in Jetpack.
The bug allows attackers to publish posts, and has existed since 2012. TheĀ Jetpack blog postĀ states the following:
During an internal security audit, we found a bug that allows an attacker to bypass a siteās access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.
You should update Jetpack immediately, and the Jetpack team is reaching out to site owners on insecure versions. The blog post states that some accounts may even be disconnected by WordPress.com for the site’s own security.
The ability to perform automatic updates was introduced in WordPress 3.7. The functionality extends well beyond the current use case of automatically upgrading minor versions of WordPress.Ā From the original auto-updates post:
Itās worth noting that the āautomatic updaterā controls more than just WordPress core. … The automatic updater also supports themes and plugins on an opt-in basis. And by default, translations (for themes, plugins, and eventually core)Ā areĀ updated automatically. At some point in the future, the WordPress.org plugin security team will be able to suggest that installs automatically update malicious or dangerously insecure plugins. Thatās aĀ hugeĀ win for a safer web.
Today, the core team is taking advantage of this functionality for the first time, and has been automatically updating old versions of Jetpack to patch this important security vulnerability.
The post also cites that no known attacks have occured, but they are not playing down the potential issues with this bug. Site owners and service providers should take this very seriously, and ensure any known installs of Jetpack are up to date with Jetpack 2.9.3 as soon as possible.
